Offloading encryption to the client

摘要

Exemplary methods for offloading encryption to a client include receiving from a first client a first encrypted data and a corresponding first encrypted key, and decrypting the first encrypted key to recover a first key, without decrypting the first encrypted data. In one embodiment, the methods further include encrypting the first key using a second key to create a second encrypted key, wherein the second key is available only to the storage system, and storing the second encrypted key and the first encrypted data as received, without having to decrypt and re-encrypt the first encrypted data.

主权项

1. A computer-implemented method for encrypting data stored at a storage system, the method comprising:
receiving from a first client a first encrypted data and a corresponding first encrypted key; decrypting the first encrypted key to recover a first key, without decrypting the first encrypted data; encrypting the first key using a second key to create a second encrypted key, wherein the second key is available only to the storage system; storing the second encrypted key and the first encrypted data as received, without having to decrypt and re-encrypt the first encrypted data; receiving from a second client a request to access the first encrypted data; in response to the request, retrieving from storage the second encrypted key and the first encrypted data; decrypting the second encrypted key retrieved from the storage to recover the first key; encrypting the first key using a third key to create a third encrypted key; and sending to the second client the third encrypted key and the first encrypted data as retrieved from the storage, without having to decrypt and re-encrypt the first encrypted data.